CVE-2026-35664

CVSS v3.1

5.3

Medium

AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

OpenClaw before 2026.3.25 contains an authentication bypass vulnerability in raw card send surface that allows unpaired recipients to mint legacy callback payloads. Attackers can send raw card commands to bypass DM pairing restrictions and reach callback handling without proper authorization.

Fix

Authentication Bypass Using an Alternate Path or Channel

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-288

Related Identifiers

CVE-2026-35664

Affected Products

Openclaw

CVE-2026-35664

Weakness Enumeration

Related Identifiers

Affected Products

References · 4